Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Wed, 8 Sep 2004 13:53:20 -0500
Ok, I did as suggested and used the -sV and --packet-trace options and scanned all 65535 ports w/ Nmap 3.5 Very, very verbose: Interesting ports on 131.204.x.x: (The 65525 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 113/tcp open auth? 135/tcp open msrpc Microsoft Windows msrpc 139/tcp open netbios-ssn 389/tcp open ldap? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1002/tcp open windows-icfw? 1025/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe) 1720/tcp open microsoft-rdp Microsoft Terminal Service (Used with Netmeeting, Remote Desktop, Remote Assistance) 3008/tcp open unknown 3009/tcp open unknown Also, NSOCK READ SUCCESS output from the scan: NSOCK (101.7600s) Callback: READ SUCCESS for EID 106 [131.204.x.x:113] (30 bytes): 5748, 80 : USERID : UNIX : p.. NSOCK (106.7580s) Callback: READ SUCCESS for EID 210 [131.204.x.x:139] [EOF](5 bytes): ..... NSOCK (106.7590s) Callback: READ SUCCESS for EID 194 [131.204.x.x:135] (24 bytes): ...............@........ NSOCK (106.7600s) Callback: READ SUCCESS for EID 226 [131.204.x.x:445] (115 bytes) NSOCK (126.7820s) Callback: READ SUCCESS for EID 450 [131.204.x.x:1720] (23 bytes): ........Z~....@....J..X NSOCK (126.7850s) Callback: READ SUCCESS for EID 530 [131.204.x.x:1720] (23 bytes): ........Z~....@....J..X NSOCK (126.7870s) Callback: READ SUCCESS for EID 562 [131.204.x.x:1720] (23 bytes): ........Z~....@....J..X NSOCK (131.7900s) Callback: READ SUCCESS for EID 642 [131.204.x.x:1720] (23 bytes): ........Z~....@....J..X NSOCK (131.8300s) Callback: READ SUCCESS for EID 674 [131.204.x.x:1720] (23 bytes): ........Z~....@....J..X NSOCK (141.7790s) Callback: READ SUCCESS for EID 778 [131.204.x.x:1025] (24 bytes): ...............@......-. NSOCK (151.8350s) Callback: READ SUCCESS for EID 850 [131.204.x.x:1720] (23 bytes): ........Z~....@....J..X Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347
flynngn () JMU EDU 9/8/2004 12:41:43 PM >>>
Mark Wilson wrote:
I assume you mean lower case v (-v). Anyway, here it is: [root@willma root]# nmap -v -p 1-65535 131.204.x.x
Nope. Upper case V. In nmap 3.5 and later, the -V option performs a variety of things to attempt to identify the service listening on open ports that are found. If it doesn't recognize the service, it prints a fingerprint that can be submitted to the developer along with information about the service so it will be included in the next version (at least it did in 3.5, I just tried to produce it in 3.55 and it didn't print the unknown fingerprint). It would seem to be a very useful tool for malware detection and identification if we could update the signature database rapidly. That is why I was wondering if you'd tried it on the malware services listening on the auth port. Output looks like this: PORT STATE SERVICE VERSION 21/tcp open ftp NcFTPd 22/tcp open ssh OpenSSH 3.6.1p2 (protocol 2.0) 80/tcp open http Apache httpd 2.0.49 ((Unix)) 111/tcp open rpcbind 2 (rpc #100000) 199/tcp open smux Linux SNMP multiplexer 7937/tcp open nsrexec 1 (rpc #390113) 32768/tcp open status 1 (rpc #100024) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS webserver 6.0 135/tcp open msrpc Microsoft Windows msrpc 139/tcp open netbios-ssn 443/tcp open https? 445/tcp open microsoft-ds Microsoft Windows 2003 microsoft-ds 1025/tcp open msrpc Microsoft Windows msrpc 1026/tcp open msrpc Microsoft Windows msrpc 1037/tcp open msrpc Microsoft Windows msrpc 1055/tcp open unknown 1311/tcp open securetransport Tumbleweed SecureTransport Transaction Manager Secure Port 3389/tcp open microsoft-rdp Microsoft Terminal Service (Windows 2000 Server) 5881/tcp open vnc-http WinVNC (Server: XXXX; Resolution 1024x800; VNC TCP port: 5981; May be standard or TightVNC) 5981/tcp open vnc VNC (protocol 3.3) 6288/tcp open http Microsoft IIS webserver 6.0 8000/tcp open http-alt? 8009/tcp open ajp13? 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.0 8443/tcp open msdtc Microsoft Distributed Transaction Coordinator And on the auth port: (I'd better check these now) 113/open/tcp//ident//Internet Rex identd/ 113/open/tcp//ident//Internet Rex identd/ 113/open/tcp//auth?/// 113/open/tcp//auth?/// 113/open/tcp//auth?/// 113/open/tcp//ident//Internet Rex identd/ 113/open/tcp//auth?/// 113/open/tcp//auth?/// 113/open/tcp//auth?/// 113/open/tcp//ident//Liedentd (Claimed user: XXXX)/ 113/open/tcp//ident//Internet Rex identd/ 113/open/tcp//ident//Internet Rex identd/ 113/open/tcp//ident//OpenBSD identd/ Again, it didn't print the signature when the service was unknown as I expected it to and as it did in 3.5. Maybe its an option on 3.55. -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
Mark Wilson.vcf
Description:
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Daniel Adinolfi (Sep 08)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
- Re: IRC, IM Proxy Implementations Herrera Reyna Omar (Sep 08)
- Re: IRC, IM Proxy Implementations Eric Pancer (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)